
@misc{ xenInterface,
  author = "Xen-team",
  title = "Xen interface manual",
  year = "2005",
  url = "http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/interface/" }
  
@misc{ xenUser,
  author = "Xen-team",
  title = "Xen user's manual",
  year = "2005",
  url = "http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user/" }




@misc{ garfinkel03terra,
  author = "T. GARFINKEL and B. PFAFF and J. CHOW and M. ROSENBLUM and D. BONEH",
  title = "Terra: A virtual machine-based platform for trusted computing",
  text = "Terra:A virtual machine-based platform for trusted computing. In Proceedings of the 19th ACM Symposium on Operating Systems Principles",
  year = "2003",
  url = "citeseer.ist.psu.edu/article/garfinkel03terra.html" }


@inproceedings{ garfinkel:vmi,
    author = "Tal Garfinkel and Mendel Rosenblum",
    title = "A Virtual Machine Introspection Based Architecture for
    Intrusion Detection",
    booktitle = "Proc. Network and Distributed Systems Security Symposium",
    month = "February",
    year = "2003",
    url = "citeseer.ist.psu.edu/garfinkel03virtual.html" }

@inproceedings{XenFIT,
 author = {Nguyen Anh Quynh and Yoshiyasu Takefuji},
 title = {A novel approach for a file-system integrity monitor tool of Xen virtual machine},
 booktitle = {ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications security},
 year = {2007},
 isbn = {1-59593-574-6},
 pages = {194--202},
 location = {Singapore},
 doi = {http://doi.acm.org/10.1145/1229285.1229313},
 publisher = {ACM Press},
 address = {New York, NY, USA},
 }
 
 
 @inproceedings{rootkit,
 author = {Nguyen Anh Quynh and Yoshiyasu Takefuji},
 title = {Towards a tamper-resistant kernel rootkit detector},
 booktitle = {SAC '07: Proceedings of the 2007 ACM symposium on Applied computing},
 year = {2007},
 isbn = {1-59593-480-4},
 pages = {276--283},
 location = {Seoul, Korea},
 doi = {http://doi.acm.org/10.1145/1244002.1244070},
 publisher = {ACM Press},
 address = {New York, NY, USA},
 }


@InProceedings{VEE06,
  author =       "Kurniadi Asrigo and Lionel Litty and David Lie",
  title =        "Using {VMM}-based sensors to monitor honeypots",
  crossref =     "ACM:2006:VPS",
  year =         "2006",
  DOI =          "http://doi.acm.org/10.1145/1134760.1134765",
  pages =        "13--23",
  abstract =     "Virtual Machine Monitors (VMMs) are a common tool for
                 implementing honeypots. In this paper we examine the
                 implementation of a VMM-based intrusion detection and
                 monitoring system for collecting information about
                 attacks on honeypots. We document and evaluate three
                 designs we have implemented on two open-source
                 virtualization platforms: User-Mode Linux and Xen. Our
                 results show that our designs give the monitor good
                 visibility into the system and thus, a small number of
                 monitoring sensors can detect a large number of
                 intrusions. In a three month period, we were able to
                 detect five different attacks, as well as collect and
                 try 46 more exploits on our honeypots. All attacks were
                 detected with only two monitoring sensors. We found
                 that the performance overhead for monitoring such
                 intrusions is independent of which events are being
                 monitored, but depends entirely on the number of
                 monitoring events and the underlying monitoring
                 implementation. The performance overhead can be
                 significantly improved by implementing the monitor
                 directly in the privileged code of the VMM, though at
                 the cost of increasing the size of the trusted
                 computing base of the system.",
  acknowledgement = ack-nhfb,
  bibdate =      "Sat Oct 14 13:49:31 2006",
}


@misc{ bryanSecureVM,
  author = "Bryan D. Payne, Martim D. P. de A. Carbone, Wenke Lee. Georgia Institute of
Technology",
  title = "Secure and Flexible Monitoring of Virtual Machines",
  text = "Annual Computer Security Applications Conference 2007",
  year = "2007",
  
   }

@inproceedings{copilot,
 author = {Nick L. Petroni, Jr. and Timothy Fraser and Jesus Molina and William A. Arbaugh},
 title = {Copilot - a coprocessor-based kernel runtime integrity monitor},
 booktitle = {SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium},
 year = {2004},
 pages = {13--13},
 location = {San Diego, CA},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
 }


@inproceedings{1266852,
 author = {Min Xu and Xuxian Jiang and Ravi Sandhu and Xinwen Zhang},
 title = {Towards a VMM-based usage control framework for OS kernel integrity protection},
 booktitle = {SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies},
 year = {2007},
 isbn = {978-1-59593-745-2},
 pages = {71--80},
 location = {Sophia Antipolis, France},
 doi = {http://doi.acm.org/10.1145/1266840.1266852},
 publisher = {ACM},
 address = {New York, NY, USA},
 }

@inproceedings{1294294,
 author = {Arvind Seshadri and Mark Luk and Ning Qu and Adrian Perrig},
 title = {SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes},
 booktitle = {SOSP '07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles},
 year = {2007},
 isbn = {978-1-59593-591-5},
 pages = {335--350},
 location = {Stevenson, Washington, USA},
 doi = {http://doi.acm.org/10.1145/1294261.1294294},
 publisher = {ACM},
 address = {New York, NY, USA},
 }

@inproceedings{antfarm,
 author = {Stephen T. Jones and Andrea C. Arpaci-Dusseau and Remzi H. Arpaci-Dusseau},
 title = {Antfarm: tracking processes in a virtual machine environment},
 booktitle = {USENIX-ATC'06: Proceedings of the Annual Technical Conference on USENIX'06 Annual Technical Conference},
 year = {2006},
 pages = {1--1},
 location = {Boston, MA},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
 }
 
 @inproceedings{1065006,
 author = {Kenichi Kourai and Shigeru Chiba},
 title = {HyperSpector: virtual distributed monitoring environments for secure intrusion detection},
 booktitle = {VEE '05: Proceedings of the 1st ACM/USENIX international conference on Virtual execution environments},
 year = {2005},
 isbn = {1-59593-047-7},
 pages = {197--207},
 location = {Chicago, IL, USA},
 doi = {http://doi.acm.org/10.1145/1064979.1065006},
 publisher = {ACM},
 address = {New York, NY, USA},
 }

@inproceedings{1251363,
 author = {Adam G. Pennington and John D. Strunk and John Linwood Griffin and Craig A. N. Soules and Garth R. Goodson and Gregory R. Ganger},
 title = {Storage-based intrusion detection: watching storage activity for suspicious behavior},
 booktitle = {SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium},
 year = {2003},
 pages = {10--10},
 location = {Washington, DC},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
 }

@inproceedings{vmIntroSemantics,
 author = {Xuxian Jiang and Xinyuan Wang and Dongyan Xu},
 title = {Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction},
 booktitle = {CCS '07: Proceedings of the 14th ACM conference on Computer and communications security},
 year = {2007},
 isbn = {978-1-59593-703-2},
 pages = {128--138},
 location = {Alexandria, Virginia, USA},
 doi = {http://doi.acm.org/10.1145/1315245.1315262},
 publisher = {ACM},
 address = {New York, NY, USA},
 }

 
 
















@inproceedings{re-establishTrust, 
 author = {ulian B. Grizzard and John G. Levine and Henry L. Owen},
 title = {Re-establishing Trust in Compromised Systems: Recovering from Rootkits that Trojan the System Call Table},
 address = {School of Electrical and Computer Engineering, Georgia Institute of Technology , Atlanta, Georgia 30332–0250, USA },
 
 }




@InProceedings{JonesEtAl06-Antfarm,
           title = "Antfarm: Tracking Processes in a Virtual Machine Environment",
          author = "Stephen T. Jones and Andrea C. Arpaci-Dusseau and Remzi H. Arpaci-Dusseau",
       booktitle = "Proceedings of the USENIX 2006 Annual Technical Conference (USENIX '06)",
           month = "June",
            year = "2006",
         address = "Boston, MA",
}

@InProceedings{JonesEtAl06-Geiger,
           title = "Geiger: Monitoring the Buffer Cache in a Virtual Machine Environment",
          author = "Stephen T. Jones and Andrea C. Arpaci-Dusseau and Remzi H. Arpaci-Dusseau",
       booktitle = "Architectural Support for Programming Languages and Operating Systems (ASPLOS XII)",
           month = "October",
            year = "2006",
         address = "San Jose, CA",
}

@Article{Joshi:2005:DPP,
  author =       "Ashlesha Joshi and Samuel T. King and George W. Dunlap
                 and Peter M. Chen",
  title =        "Detecting past and present intrusions through
                 vulnerability-specific predicates",
  journal =      j-OPER-SYS-REV,
  volume =       "39",
  number =       "5",
  pages =        "91--104",
  month =        dec,
  year =         "2005",
  CODEN =        "OSRED8",
  DOI =          "http://doi.acm.org/10.1145/1095810.1095820",
  ISSN =         "0163-5980",
  bibdate =      "Sat Aug 26 08:55:58 MDT 2006",
  bibsource =    "http://portal.acm.org/",
  abstract =     "Most systems contain software with
                 yet-to-be-discovered security vulnerabilities. When a
                 vulnerability is disclosed, administrators face the
                 grim reality that they have been running software which
                 was open to attack. Sites that value availability may
                 be forced to continue running this vulnerable software
                 until the accompanying patch has been tested. Our goal
                 is to improve security by detecting intrusions that
                 occurred before the vulnerability was disclosed and by
                 detecting and responding to intrusions that are
                 attempted after the vulnerability is disclosed. We
                 detect when a vulnerability is triggered by executing
                 vulnerability-specific predicates as the system runs or
                 replays. This paper describes the design,
                 implementation and evaluation of a system that supports
                 the construction and execution of these
                 vulnerability-specific predicates. Our system, called
                 IntroVirt, uses virtual-machine introspection to
                 monitor the execution of application and operating
                 system software. IntroVirt executes predicates over
                 past execution periods by combining virtual-machine
                 introspection with virtual-machine replay. IntroVirt
                 eases the construction of powerful predicates by
                 allowing predicates to run existing target code in the
                 context of the target system, and it uses checkpoints
                 so that predicates can execute target code without
                 perturbing the state of the target system. IntroVirt
                 allows predicates to refresh themselves automatically
                 so they work in the presence of preemptions. We show
                 that vulnerability-specific predicates can be written
                 easily for a wide variety of real vulnerabilities, can
                 detect and respond to intrusions over both the past and
                 present time intervals, and add little overhead for
                 most vulnerabilities.",
  acknowledgement = ack-nhfb,
}

@inproceedings{1065006,
 author = {Kenichi Kourai and Shigeru Chiba},
 title = {HyperSpector: virtual distributed monitoring environments for secure intrusion detection},
 booktitle = {VEE '05: Proceedings of the 1st ACM/USENIX international conference on Virtual execution environments},
 year = {2005},
 isbn = {1-59593-047-7},
 pages = {197--207},
 location = {Chicago, IL, USA},
 doi = {http://doi.acm.org/10.1145/1064979.1065006},
 publisher = {ACM},
 address = {New York, NY, USA},
 }
 
 @inproceedings{1251363,
 author = {Adam G. Pennington and John D. Strunk and John Linwood Griffin and Craig A. N. Soules and Garth R. Goodson and Gregory R. Ganger},
 title = {Storage-based intrusion detection: watching storage activity for suspicious behavior},
 booktitle = {SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium},
 year = {2003},
 pages = {10--10},
 location = {Washington, DC},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
 }

@inproceedings{1251316,
 author = {John Scott Robin and Cynthia E. Irvine},
 title = {Analysis of the Intel Pentium's ability to support a secure virtual machine monitor},
 booktitle = {SSYM'00: Proceedings of the 9th conference on USENIX Security Symposium},
 year = {2000},
 pages = {10--10},
 location = {Denver, Colorado},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
 }

@inproceedings{1266853,
 author = {Trent Jaeger and Reiner Sailer and Yogesh Sreenivasan},
 title = {Managing the risk of covert information flows in virtual machine systems},
 booktitle = {SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies},
 year = {2007},
 isbn = {978-1-59593-745-2},
 pages = {81--90},
 location = {Sophia Antipolis, France},
 doi = {http://doi.acm.org/10.1145/1266840.1266853},
 publisher = {ACM},
 address = {New York, NY, USA},
 }

@inproceedings{1251410,
 author = {Shuo Chen and Jun Xu and Emre C. Sezer and Prachi Gauriar and Ravishankar K. Iyer},
 title = {Non-control-data attacks are realistic threats},
 booktitle = {SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium},
 year = {2005},
 pages = {12--12},
 location = {Baltimore, MD},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
 }

@inproceedings{1251414,
 author = {C. M. Linn and M. Rajagopalan and S. Baker and C. Collberg and S. K. Debray and J. H. Hartman},
 title = {Protecting against unexpected system calls},
 booktitle = {SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium},
 year = {2005},
 pages = {16--16},
 location = {Baltimore, MD},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
 }

@inproceedings{1251407,
 author = {K. G. Anagnostakis and S. Sidiroglou and P. Akritidis and K. Xinidis and E. Markatos and A. D. Keromytis},
 title = {Detecting targeted attacks using shadow honeypots},
 booktitle = {SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium},
 year = {2005},
 pages = {9--9},
 location = {Baltimore, MD},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
 }

@inproceedings{1181311,
 author = {Lionel Litty and David Lie},
 title = {Manitou: a layer-below approach to fighting malware},
 booktitle = {ASID '06: Proceedings of the 1st workshop on Architectural and system support for improving software dependability},
 year = {2006},
 isbn = {1-59593-576-2},
 pages = {6--11},
 location = {San Jose, California},
 doi = {http://doi.acm.org/10.1145/1181309.1181311},
 publisher = {ACM},
 address = {New York, NY, USA},
 }

@inproceedings{1267356,
 author = {Nick L. Petroni, Jr. and Timothy Fraser and AAron Walters and William A. Arbaugh},
 title = {An architecture for specification-based detection of semantic integrity violations in kernel dynamic data},
 booktitle = {USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium},
 year = {2006},
 pages = {20--20},
 location = {Vancouver, B.C., Canada},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
 }


@inproceedings{1255345,
 author = {Hassen Sa\"{\i}di},
 title = {Guarded models for intrusion detection},
 booktitle = {PLAS '07: Proceedings of the 2007 workshop on Programming languages and analysis for security},
 year = {2007},
 isbn = {978-1-59593-711-7},
 pages = {85--94},
 location = {San Diego, California, USA},
 doi = {http://doi.acm.org/10.1145/1255329.1255345},
 publisher = {ACM},
 address = {New York, NY, USA},
 }

@inproceedings{1251391,
 author = {Reiner Sailer and Xiaolan Zhang and Trent Jaeger and Leendert van Doorn},
 title = {Design and implementation of a TCG-based integrity measurement architecture},
 booktitle = {SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium},
 year = {2004},
 pages = {16--16},
 location = {San Diego, CA},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
 }


















@inproceedings{ paladin,
  author = "Arati Baliga1 and Xiaoxin Chen2 and Liviu Iftode1",
  title = "Paladin: Automated Detection and Containment of Rootkit Attacks",
}

@article{siren,
author = {Kevin Borders and Xin Zhao and Atul Prakash},
title = {Siren: Catching Evasive Malware (Short Paper)},
journal = {sp},
volume = {0},
year = {2006},
issn = {1081-6011},
pages = {78-85},
doi = {http://doi.ieeecomputersociety.org/10.1109/SP.2006.37},
publisher = {IEEE Computer Society},
address = {Los Alamitos, CA, USA},
}

@inproceedings{protSensFiles,
 author = {Xin Zhao and Kevin Borders and Atul Prakash},
 title = {Towards Protecting Sensitive Files in a Compromised System},
 booktitle = {SISW '05: Proceedings of the Third IEEE International Security in Storage Workshop (SISW'05)},
 year = {2005},
 isbn = {0-7695-2537-7},
 pages = {21--28},
 doi = {http://dx.doi.org/10.1109/SISW.2005.17},
 publisher = {IEEE Computer Society},
 address = {Washington, DC, USA},
 }

 @misc{ wiki:hypervisor,
   author = "Wikipedia",
   title = "Hypervisor --- Wikipedia{,} The Free Encyclopedia",
   year = "2007",
   url = "http://en.wikipedia.org/w/index.php?title=Hypervisor&oldid=142674472",
   note = "[Online; accessed 7-July-2007]"
 }

@inproceedings{XenArtOfVirt,
 author = {Paul Barham and Boris Dragovic and Keir Fraser and Steven Hand and Tim Harris and Alex Ho and Rolf Neugebauer and Ian Pratt and Andrew Warfield},
 title = {Xen and the art of virtualization},
 booktitle = {SOSP '03: Proceedings of the nineteenth ACM symposium on Operating systems principles},
 year = {2003},
 isbn = {1-58113-757-5},
 pages = {164--177},
 location = {Bolton Landing, NY, USA},
 doi = {http://doi.acm.org/10.1145/945445.945462},
 publisher = {ACM Press},
 address = {New York, NY, USA},
 }

@inproceedings{VmSecSys,
 author = {Xin Zhao, Kevin Borders, Atul Prakash},
 title = {Virtual Machine Security Systems}, 
 location = {Department of EECS, University of Michigan},
 address = {Ann Arbour, MI, 48109-2121, USA },
 }

 @misc{ vuls,
   author = "United States Computer Emergency Readiness Team",
   title = "US-CERT Vulnerability Notes",
   year = "2007",
   url = "http://www.kb.cert.org/vuls",
   note = "[Online; accessed 15-July-2007]"
 }


@inproceedings{sHypeXen,
 author = {Reiner Sailer and Trent Jaeger and Enriquillo Valdez and Ramon Caceres and Ronald Perez and Stefan Berger and John Linwood Griffin and Leendert van Doorn},
 title = {Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor},
 booktitle = {ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference},
 year = {2005},
 isbn = {0-7695-2461-3},
 pages = {276--285},
 doi = {http://dx.doi.org/10.1109/CSAC.2005.13},
 publisher = {IEEE Computer Society},
 address = {Washington, DC, USA},
 }

@inproceedings{VMattacks,
 author = {Peter Ferrie},
 title = {Attacks on Virtual Machine Emulators}, 
 year = {2007},
 publisher = {SYMANTEC ADVANCED THREAT RESEARCH},

 }


@inproceedings{rootkits,
 author = {Alkesh Shah},
 title = {Analysis of Rootkits: Attack Approaches and Detection Mechanisms}, 
 publisher = {Georgia Institute of Technology},
 address = {Georgia Institute of Technology},
 }



@article{GuideIdps,
author = {Karen Scarfone , Peter Mell},
title = {Guide to Intrusion Detection and Prevention Systems (IDPS)},
year = {February 2007},
publisher = {NIST, Computer Security Special Publications},
}

@article{HypID,
author = {Lionel Litty},
title = {Hypervisor-based Intrusion Detection },
address = {Graduate Department of Computer Science, University of Toronto},
}


@article{HypMalware,
author = {Fionnbharr Davies},
title = { Hypervisor Malware },
address = {GTHE UNIVERSITY OF NEW SOUTH WALES, SCHOOL OF COMPUTER SCIENCE AND ENGINEERING},
}

@article{introXen,
author = { TIM ABELS, PUNEET DHAWAN, BALASUBRAMANIAN CHANDRASEKARAN},
title = {An Overview of Xen Virtualization},
year = {2005},
publisher = {Dell Power Solutions},
}

@Book{		  linuxvm,
  author	= {Mel Gorman},
  title		= {Understanding the Linux Virtual Memory Manager.},
  publisher	= {Prentice Hall.},
  year		= {2004},
  pages		= {xviii + 727},
  isbn		= {0-13-145348-3},
  urlbib	= {http://www.cs.ucsb.edu/~grze/papers/mm/gorman04linuxvm.bib},		  
  url		= {http://www.cs.ucsb.edu/~grze/papers/mm/gorman04linuxvm.pdf},
  keyword	= {Memory Management}
}

@misc{ understandLinuxKernel,  
    author      = {Daniel P. Bovet and Marko Cesati},
    year        = 2001,
    title       = {Understanding the Linux Kernel},
    publisher   = {O'Reilly \& Associates},
    address     = {United Kingdom},
  
  }

@misc{ digitalForensics,  
  title = "Digital forensics of the physical memory",
  author = "Mariusz Burdach"
  
  }

@misc{ LinuxKernelInternal,  
  title = "Linux Kernel 2.4 Internal",
  author = "Tigran Aivazian",
  year = 2002,
  month = aug
  
  
  }

@Book{lkmdg,
  Author =	 { Peter Jay Salzman AND Michael Burian AND Ori Pomerantz  },
  title =	 { The Linux Kernel Module Programming Guide},
  year =	 2007,
  month =        May
}



@Book{xenguide,
  Author =	 { David Chisnall },
  title =	 { The Definitive Guide to the Xen Hypervisor },
  publisher =	 {Prentice Hall},
  year =	 2007,
  month =        Nov
}


@Article{norootkits,
  author = 	 {Amir Alsbih},
  title = 	 {Rootkits for the Linux kernel 2.6 SECRET WEAPON},
  journal =  {Linux Magazine},
  year = 	 2006,
  month = Aug,
  url =	 {"http://w3.linux-magazine.com/issue/69/How_to_Write_a_Rootkit.pdf"}
}

@misc{hids,
  author = "Pieter de Boer and Martin Pels",
  title = "Host-based Intrusion Detection Systems",
  year = "2005",
  url = "http://staff.science.uva.nl/~delaat/snb-2004-2005/p19/report.pdf" }
